Password Security

NCSAM-SecureIt-Passwords

Password Guidelines

  • Use a longer passphrase rather than the minimum; more characters = more secure.
  • Adding numbers and symbols in place of letters isn't better security; selecting a long passphrase is.
  • Passphrases are phrases that are easy to remember and hard to guess and crack.
  • An example of a passphrase is Unicorn-Hugs-All-Day!.  It meets our complexity requirements and easy to remember.
  • Change passwords whenever there is a security concern.
  • Never share your password with others.
  • Never write down your password and leave it visible.
  • Don't reuse passwords for multiple sites (bank, school, email, social media).
  • Consider using a password manager (see below).
  • Never enter passwords on untrusted web pages (look for a green padlock, or other indication of encryption security, in the address field).
  • Be wary of using the "save password" option in your browser.
  • Use two-factor options when available.

Password Managers

One of the most important steps you can take to protect yourself online is to use a unique, strong password for every one of your accounts and apps.  Unfortunately, it is most likely impossible for you to remember all your different passwords for all your different accounts.  This is why so many people reuse the same password. Unfortunately, reusing the same password for different accounts is dangerous, because once someone compromises your password, they can access all your accounts that use the same password.  A simple solution is to use a password manager, sometimes called a password vault.  These are programs that securely store all your passwords, making it easy to have a different password for each account.  Password managers make this simple, because instead of having to remember all your passwords, you only have to remember the master password to your password manager.

Avoid any password manager that claims to be able to recover your master password for you.  This means they know your master password, which exposes you to too much risk.  Password managers are a great way to securely store all your passwords and other sensitive data.   However, since they safeguard such important information, make sure you use a unique, strong master password that is not only hard for an attacker to guess, but easy for you to remember. [1]

Here are some password managers:

  • 1Password - A password manager that protects a variety of data (passwords, bank account information, identities, etc.) behind one master password. It works across multiple devices and platforms. There is an annual subscription ($2.99/month, billed annually), but the first 30 days are free.
  • Bitwarden - An open source, local, cloud-based, or even self-hosted password manager. With both free and paid subscription options.
  • DashLane - A password manager and digital wallet that can keep track of many types of secure information. The free version works on one device and stores up to 50 passwords, but to access passwords in multiple places you'll have to go premium ($4.99/month, billed annually).
  • KeePassXC - A free and open-source local password manager. KeePassXC is an updated, cross-platform version of the popular KeePass.

These days, browsers will offer to remember your passwords for you. However, browsers are frequently targeted for attacks.  It's better to use a password manager, whose sole purpose is to encrypt and protect your data.

[1] https://www.sans.org/security-awareness-training/ouch-newsletter/2017/password-managers